Execution Master Windows utility for intercepting the creation of processes and assigning standard actions to the execution of any program Link: https://github.com/diversenok/ExecutionMaster#execution-master Downloads: https://github.com/diversenok/ExecutionMaster/releases The latest version also contains shell extension:
Yes, interesting especialy due to managing of admin rights...it looks EM can be useful replacement of DMR and "run as admin" system featur.
It is not that kind of Anti-Executable. It makes use of the Windows mechanism Image File Execution Options. If you have Process Hacker installed and if it is set as the default Task Manager you'll see in the registry: Code: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Debugger REG_SZ "C:\Program Files\Process Hacker\ProcessHacker.exe" The execution of taskmgr.exe is intercepted and instead of taskmgr.exe, ProcessHacker.exe will be executed (Action "Execute" in the GUI of Execution Master) If you select "Deny" it will set the appropiate executable as a Debugger ("..\Actions\Deny.exe")
No matter is it definied anti-exe or not...more important are the features that can be easily configured in clear GUI.
Anyone know what the "run sandboxed" option does; appcontainer? Of note is it shows the Sandboxie icon for that option?
The shell extension of Sandboxie is reponsible for "Run Sandboxed". After registering of the shell extension of Execution Master this will be added to the contextmenu: "Set launch action: (None, Ask, Deny, ...)"
Please explain. I heard of this setting before being used by malware-because of easy connect to debugger etc-Image File Execution Options are used to intercept calls to an executable-but as it became more widely exposed safe programs like this one make use of it.
Some HIPS's have an option to create a rule to prevent an executable from be run in debug mode. That is what this utility is doing.
Yes, malware uses it all the time, but it is not a bug, it is a feature. Some AVs block that key by default. Code: https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/ I remove it before shutdown as a mitigation. Code: reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /f
Of course, you should know what you are doing. Execution Master even shows warnings when you try to mess around with system programs. Not exactly. IFEO Debugger flag is not actually about debugging - it is about replacing of the command line on the fly. That's all it does. Debugging is just a way that Actions use to bypass it (they need to run the original program somehow). And it is used only on the stage of process creation. After that, the Action immediately detaches from the new process. So, programs don't run in debug mode after initialization. I also know another way to bypass IFEO without using debugging on any stage. Maybe I'll implement it later.
@diversenok Thank you for the insight and details and also for sharing this program as open source. Keep up the great work! Would there be any way to add the ability to start a process within AppContainer sandbox and choose from list of AppContainer capabilities? This, in my opinion, is a much needed program functionality in general. But would absolutely require capability choice though to be most functional.
@WildByDesign That's a great idea, thanks. Configurable actions are not an issue - I was planning to add some of them (like limiting CPU consumption up to the specified percentage). I was also thinking about adding more restrictive actions (prevent child process creation, deny any file modification). AppContainer sandbox can become an excellent addition.
@diversenok You're welcome. Your suggestions to add more restrictions like preventing child process creation and more would be absolutely fantastic. I can see a lot of potential with those ideas, particularly powerful for a tiny portable application. I look forward to following development and will continue testing. Very creative program in general, for sure. I've utilized the IFEO registry keys for Process Mitigations for a while now and had no idea how much more potential could come out of IFEO and your program definitely shows that.
By the way, if you do have any interest in AppContainer sandbox, I have some decent code examples to share in case they may be beneficial. I will place in spoiler below since it may be off topic for this thread. Spoiler: AppContainer Code Examples Link: https://github.com/AaLl86/retroware/tree/master/AppContainers Image: http://www.andrea-allievi.com/wp-content/uploads/2013/06/8.-Saferbytes-AppContainer-Launcher.jpg That is by Andrea Allievi (https://twitter.com/aall86) who is working with Microsoft now. His code example have good examples for AppContainer capabilities. Also there is PrivExec by the same developer who makes NSudo. Link: https://github.com/M2Team/Privexec PrivExec can start processes within Appcontainer with limited/basic capabilities but no actual choice selection for choosing capabilities. A decent code example though.
What I meant is that I rather not see these registry keys being modified since they are mostly associated with malware. But I have to say that Execution Master is an interesting app.
If it's interesting for anyone, I wrote a blog post about how the tool works. Image File Execution Options and related topics are full of surprises and neat pitfalls.
